Reading Saddam's Email

TANJI, MICHAEL

Reading Saddam's Email What to do with an enemy's hard drives. by MICHAEL TANJI STEPHEN F. HAYES has written extensively in these pages about a large cache of documents and digital media captured...

...you grab it, secure it, and move on...
...A computer forensics examiner in a crime lab generally has access to the investigators, knows the nature of the crime, and knows the most common places to look for evidence...
...Let's call this our forensic centrifuge...
...Assume our hypothetical hostile regime was a fairly large country with a population around 25 million...
...The memos and letters you write, the financial information you calculate, the websites you visit, and the people you email or instant-message—all this is a gold mine for anyone looking to know who you are, what you do, and with whom you cavort...
...There are commercial applications that do this, but our applications will have to be custom-made...
...Our extracted data files must be compared with files of the same type—another computer process easily crafted—for both physical and content similarities...
...Enter "computer forensics...
...In a complex web of bad guys, tapping the phones of one or two leaves a lot of gaps, especially when your adversary is a whole network of webs...
...Care to guess whether our formerly hostile regime had more than 100 computers...
...The data in 100 such hard drives are comparable to the print holdings of the Library of Congress...
...The technology exists, the mental wherewithal exists, and the contract vehicles exist...
...Now imagine having access to the same data about your adversary...
...The result should be large but much more meaningful subsets of data that we can be reasonably assured were created by members of the former regime...
...Human sources can lie...
...and • the foreign contacts of former regime elements in the form of email addresses and website data...
...subject matter experts are by and large still back in Washington...
...Let's face it: You've probably got more powerful software on your computer at home than the average intelligence analyst has on the job...
...Adapting widely accepted technical methodologies to the unique challenges our intelligence services face is merely good sense...
...Before you can read the data, you have to find it...
...All these needed computers to function...
...It was not the most technically advanced nation in the world, but it had ministries and industries and was believed to have advanced weapons capabilities...
...But technical expertise and high-end equipment are hard to come Michael Tanji is an associate of the Terrorism Research Center...
...Digital media, on the other hand, are less prone to be a means of deception, and even one node of a network can reveal a significant amount about the entire network...
...While we now have all the meaningful data we can obtain, there is one more step to take before we can overlay what is called our "contextual appliqu...
...Once we have this notional system, we can aim it at our amorphous heap of captured data...
...The problem of authenticity that sometimes complicates the exploitation of paper documents virtually does not arise...
...Ideally our centrifuge will be built out of a cluster of computers: dozens of cheap processors networked together and scaled to rival a supercomputer in power...
...Exploiting digital media is another story...
...The demands are tremendous...
...A great deal of this material has been obtained by the U.s...
...The problem of finding enough qualified, trusted Arabic speakers and translators is great, but familiar...
...As if sheer quantity of data were not problem enough, remember that the materials have almost no supporting contextual information...
...Let us assume hypothetically that the United states has overthrown a hostile regime, and a vast amount of paper and digital media has been looted or otherwise removed from the regime's ministries, industrial centers, and other facilities...
...If we want to do this, we know how...
...Our contextual appliqué is now complete, and many gaps left by insufficient prewar human and signals intelligence can be filled in...
...These lists can easily include tens of thousands of terms, names, figures, and data formats...
...You find something that looks useful...
...Unless you write fiction for a living, these are the most accurate and factual data that can be obtained about you (short of reading your mind...
...There is of course a strong political aspect to media exploitation...
...Combat commanders need actionable intelligence so they can turn around and capture or kill more of the enemy (and obtain still more media to exploit...
...How much data does this translate into...
...intelligence services...
...This is not to say that a law enforcement approach has no use in the larger intelligence business (for example, in counterintelligence investigations), but if the goal is good data fast, then what is good for cops is not good for soldiers...
...It can show who was talking to whom and who was working on what prior to the war...
...discussions between former regime elements in the form of both memorandums and email exchanges, as well as the personal thoughts revealed in private letters between confidants...
...Outside the intelligence field, computer forensics is the process by which data are extracted, preserved, and analyzed for pertinence and meaning...
...Think about the data that you keep on your computers at work and at home...
...by MICHAEL TANJI STEPHEN F. HAYES has written extensively in these pages about a large cache of documents and digital media captured in the course of Operation Iraqi Freedom and Operation Enduring Freedom...
...But unless we look, we will always be faced—in the immortal words of Donald Rums-feld—with a huge cache of "unknown unknowns...
...We begin to do this by building lists of keywords, phrases, personalities, and other data that pertain to the topics of interest to our intelligence services...
...Through this process we should be able to determine things like: • the names of people who drafted, edited, and were expected to receive memorandums, letters, and orders, and sometimes which computers they worked on...
...One floor of an average-sized university library full of academic journals contains about 100 gigabytes of data, the size of a large but not uncommon hard drive...
...He opines on intelligence and security issues at groupintel.com...
...military and eventually the U.s...
...The process of exploitation begins with the recognition that neither human intelligence nor signals intelligence is the be-all and end-all...
...A military intelligence unit is not interested in going to court...
...After all the detainees have been interrogated, and all of the sand at suspected facilities has been sifted and tested, the only way finally to close the book on what our hypothetical former hostile regime was up to is to analyze every last reliable source of data available to us...
...which computers were likely networked together, within the same ministry or between trusted associates...
...it is interested in helping soldiers put steel on target...
...Is it any wonder that some consider the job hopeless...
...On the battlefield there is no time to "bag-and-tag" evidence...
...Given the problems, how does U.s...
...intelligence is faced with trying to make sense of a massive, amorphous heap of paper and digital data...
...Modern technologies could be put to good use by the intelligence community to solve data extraction, processing, analysis, and display problems, if only certain elements in the community could get over the "not-invented-here" syndrome...
...They can hide parts of the truth...
...As a former intelligence officer who dealt with digital media exploitation and analysis issues at the Defense Intelligence Agency for nearly four years (2001 to 2005), I am prohibited from speaking publicly about what these documents may contain...
...This information and more can be used to reconstruct both the physical and social networks of our former hostile regime...
...How can we hope to make any real sense of this mass of stuff...
...You have a huge store of data and only the slightest idea where it came from, a vague idea of what to look for, and you must do the job to a standard of proof mindlessly imported from law enforcement and far exceeding what is necessary for your work...
...The next step is to create a forensi-cally sound process to spin off the more meaningful pieces of data (user-created documents, emails, spreadsheets, etc...
...Unwitting dupes in a deception scheme can honestly tell you what they think is the truth...
...When the mission is over, you head to the tent where the Military Intelligence guys hang out and drop off your goods, covered in dust and a lot worse for wear...
...Intercepted signals generally reveal only part of the intelligence picture...
...The computer forensics community has worked very hard to bring its practices up to the level portrayed on TV in shows like CSI, where digital evidence is now accepted in court as much as fingerprints or blood splatters...
...while leaving behind data that have less utility (files associated with the operating system and software applications...
...intelligence perform deep analysis on data that clearly need it...
...Computer programs written to take advantage of the multiprocessor capabilities of the centrifuge will extract the easy-to-obtain data files, recover deleted files and those that have been obfuscated by various means, and find the data stored in web browsers, email software, and other programs...
...Cluster computers have been used by academia and the government for years, notably in places like NASA and the Department of Energy...
...Because of the lack of context— reliable information about where each item was obtained, who it belonged to, and so on—U.s...
...We could very well have in our possession ample material to support all the reasons the public was told justified going to war—or we could find the opposite, or find there are no clear conclusions to be drawn...
...The system just described for sorting and organizing data is notional, but not fanciful...
...Technology can help...
...A piece of evidence comes to him in a plastic bag with a tag on it saying where it was found, what kind of computer it came out of, and so on...
...It stands to reason that the same people, tools, and methods used in computer crime labs are also used in intelligence efforts...
...Under such conditions, context beyond a label reading "hard drive found on Monday" is scarce...
...What I can do is share my professional opinion on how one might solve some of the major problems associated with media exploitation...
...That is, if we are really interested in the truth...
...Exploiting paper documents is a relatively simple matter of reading and, if necessary, translating...
...Which end of the political spectrum will come out ahead is not clear going in...
...so is good, trustworthy linguistic support...
...First, when data come without any meaningful context, we have to re-create it after the fact...
...If we want to do it fast, and provide sufficient resources, we can see significant results this year...
...There are signs of progress, but it is slow...
...However, the courtroom-centric, linear, law-enforcement mindset is actually a hindrance to effective exploitation for purposes of intelligence...
...Consider some rough calculations...

Vol. 11 • February 2006 • No. 20


 
Developed by
Kanda Sofware
  Kanda Software, Inc.